Overview

overview

10

Static

static

3

2659ed2cb4...18.dll

windows7-x64

10

2659ed2cb4...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2024 21:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2659ed2cb4afab7a842b055f23ffd340_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    2659ed2cb4afab7a842b055f23ffd340

  • SHA1

    509080204bd698f75f5096799f1bc7c13ecf79d9

  • SHA256

    26d370fac05289d2d7895acb5ab970e500769b0fff27e5807a0edf36a662926f

  • SHA512

    5819c6ffcd8b7ae10b2d7f5694eff3d1d19645273ae29d161e0a6ab975fa33b8d75268292c5d257c77172202afa38179127d46d1592c9ff7667523acc2186a1e

  • SSDEEP

    24576:euYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:e9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2659ed2cb4afab7a842b055f23ffd340_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2836
  • C:\Windows\system32\MoUsoCoreWorker.exe
    C:\Windows\system32\MoUsoCoreWorker.exe
    1⤵
      PID:560
    • C:\Users\Admin\AppData\Local\MkfVeO\MoUsoCoreWorker.exe
      C:\Users\Admin\AppData\Local\MkfVeO\MoUsoCoreWorker.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3136
    • C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      1⤵
        PID:716
      • C:\Users\Admin\AppData\Local\rVmu\dialer.exe
        C:\Users\Admin\AppData\Local\rVmu\dialer.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1136
      • C:\Windows\system32\Magnify.exe
        C:\Windows\system32\Magnify.exe
        1⤵
          PID:2772
        • C:\Users\Admin\AppData\Local\iFS\Magnify.exe
          C:\Users\Admin\AppData\Local\iFS\Magnify.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1924

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\MkfVeO\MoUsoCoreWorker.exe
          Filesize

          1.6MB

          MD5

          47c6b45ff22b73caf40bb29392386ce3

          SHA1

          7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9

          SHA256

          cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0

          SHA512

          c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331

          Download Submit

        • C:\Users\Admin\AppData\Local\MkfVeO\XmlLite.dll
          Filesize

          1.2MB

          MD5

          41791ebccdfd5fac1e23897311a29574

          SHA1

          705f2b243d33753b521d927491b535482fe5f8c6

          SHA256

          25c934bbb510c0511c2bc8de914f799af1aca0b324911f9d74e7f8871754c4ca

          SHA512

          efe39208d33a1f2dd72e3a711b949e88fdd556359f8fb3216f128ffcd005db047cb1055764f001d952532ab9a7f081237921ba96b59ca088cd5985579f9abaa1

          Download Submit

        • C:\Users\Admin\AppData\Local\iFS\MAGNIFICATION.dll
          Filesize

          1.2MB

          MD5

          b4db1dcc915a8059a88642ea392e7723

          SHA1

          6b42ad6b2559be3ea85d076b70a2bca5b934ec32

          SHA256

          ccbe7ee0b332677be2022128d8379613134bce88b41538ba4b4126280f228a60

          SHA512

          42612a7c7c1b575b6257178e93ea73402a028f92327c9d4360d13e95f352dd77b07e2fe0ae97e727a18506bad10dd655860d2db2fe00c2c0f7fc8f4ba2777d01

          Download Submit

        • C:\Users\Admin\AppData\Local\iFS\Magnify.exe
          Filesize

          639KB

          MD5

          4029890c147e3b4c6f41dfb5f9834d42

          SHA1

          10d08b3f6dabe8171ca2dd52e5737e3402951c75

          SHA256

          57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d

          SHA512

          dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d

          Download Submit

        • C:\Users\Admin\AppData\Local\rVmu\TAPI32.dll
          Filesize

          1.2MB

          MD5

          4cf73609a7e3aa8a1d635c9f2a2ccc88

          SHA1

          1630ccfb3e0cb4e23066c26316364ecc12489907

          SHA256

          78ecb0f6f43a757974caf0d9e21a5a0a8244cbaa9c37b4fd440899308a312fb9

          SHA512

          552412dfc85a69493cbd2646675441697ed7d41f6a5dd8f504869a0e2c4d56b42dcf875317aa70a6517d8776b69c178f9c284f6a968a917283a9d54bce025e1c

          Download Submit

        • C:\Users\Admin\AppData\Local\rVmu\dialer.exe
          Filesize

          39KB

          MD5

          b2626bdcf079c6516fc016ac5646df93

          SHA1

          838268205bd97d62a31094d53643c356ea7848a6

          SHA256

          e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb

          SHA512

          615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Swgfzbi.lnk
          Filesize

          1KB

          MD5

          a3bb24a2770704f1d92d91723e95b01a

          SHA1

          1c3b056e5422d683387dc1e9af2523fd8fcde1b1

          SHA256

          95345f34c70336d67f1b13a790c59ab38028ecae6ac2a40ee94d519e57a55794

          SHA512

          1732d4eda37130f742b16b6f71832a6a904badba60a318b7e21e2bb0411bc36c16efd5632ecfd56397a4c1aa7169d35a4ce9900075fcd6417ff9fed47caa189d

          Download Submit

        • memory/1136-69-0x00007FFD751A0000-0x00007FFD752D3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1136-66-0x000001CA50C20000-0x000001CA50C27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1136-63-0x00007FFD751A0000-0x00007FFD752D3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1924-85-0x00007FFD751A0000-0x00007FFD752D2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2836-0-0x00007FFD751A0000-0x00007FFD752D1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2836-39-0x00007FFD751A0000-0x00007FFD752D1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2836-3-0x00000000026A0000-0x00000000026A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3136-52-0x00007FFD751A0000-0x00007FFD752D2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3136-46-0x00007FFD751A0000-0x00007FFD752D2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3136-49-0x00000242CE870000-0x00000242CE877000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3448-29-0x0000000000B60000-0x0000000000B67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3448-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-28-0x00007FFD8243A000-0x00007FFD8243B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3448-30-0x00007FFD835D0000-0x00007FFD835E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3448-36-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-24-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-6-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-4-0x0000000002930000-0x0000000002931000-memory.dmp

          Filesize

          4KB

          Download